Browser security cannot be ignored. It’s where people spend most of their working day, and it’s where attackers focus most of their attacks.
Statistics come from Menlo Security’s analysis of 750,000 browser-based phishing attacks targeting more than 800 entities detected over the last 12 months. This analysis reveals a 140% increase in browser phishing, including a 130% increase in zero-hour phishing attacks (effectively, a zero-day attack applied to phishing).
The reasons for the growth are multiple: our growing reliance on the browser for much of our daily work, the prevalence of zero-day vulnerabilities, the increasing sophistication of the cybercriminal underworld, and, worryingly, the growing influence of gen-AI. Gen-AI is particularly concerning, both for its use today and its potential use in the future.
“Threat actors have advanced in speed and skills. They are using the same tools and infrastructure as professional engineers,” comments Andrew Harding, VP of security strategy at Menlo Security. “We’re seeing a dangerous combination of zero-day attacks, advanced social engineering techniques, sophisticated phishing techniques, and readily available phishing-as-a-service kits, all designed to infiltrate systems and steal valuable data.”
He adds, “This trend is only poised to escalate dramatically in 2025 as attackers adopt AI to increase both scale and effectiveness.”
The relevance of gen-AI is complex. It is used by criminals to create compelling phishing sites, it is used as a lure offering fake AI services, and it is used to create and scale sophisticated phishing attacks.
“It’s very difficult for end users to identify these browser-based phishing attacks since they are mostly using trusted services,” warns Thomas Richards, red team practice director at Black Duck. “Before proceeding with account creation, or entering credentials on an unknown website, it’s best to do some research to ensure that it is the original website and not a forgery.”
Menlo’s report (PDF) says the firm detected nearly 600 incidents with imposter sites passing themselves off as gen-AI sites offering fake AI services. Gen-AI is used by criminals to create compelling deepfakes and to research individual targets for more efficient phishing. This will only increase in the future.
“Phishers exploit the high public interest in gen-AI by imitating popular AI platforms, banking on user curiosity and trust in cutting-edge technology,” warns Jason Soroko, senior fellow at Sectigo. “Vigilant verification of domain authenticity remains essential to avoid falling prey to these deceptive tactics – know where you are browsing.”
Interestingly, however, most gen-AI fraud was not for the purpose of credential theft (the traditional first purpose of phishing). Harding notes that the fake gen-AI sites trick people into entering personal data for the purpose, perhaps, of generating a resume. “The returned document is typically a PDF,” he explains, “where malware can hide out and be delivered.” Gen-AI is, in short, beginning to allow criminals to skip the credential theft stage of an attack and go straight to the common final stage – the delivery of ransomware in an expected PDF.
“Attackers will continue exploiting trusted platforms and using gen-AI to create more convincing phishing campaigns at unprecedented scale,” adds Stephen Kowski, field CTO at SlashNext. “The combination of speed, creativity, and automation will make these threats particularly challenging.”
This is especially relevant to the use of browsers on mobile devices. “Combining these capabilities with the form factor or mobile browsers, with their limited URL visibility and reliance on auto-login features, provides the perfect storm for attackers to steal credentials without raising suspicion,” explains Krishna Vishnubhotla, VP of product strategy at Zimperium.
Menlo also comments on the growing use of phishing-as-a-service (PhaaS) and expects this to increase. PhaaS is not solely a browser-based problem. Separately, a report from Barracuda published on the same day as Menlo’s browser-specific report (March 19, 2025) notes, “The first few months of 2025 saw a massive spike in phishing-as-a-service (PhaaS) attacks targeting organizations around the world, with more than a million attacks detected by Barracuda systems in January and February.” It adds that Tycoon 2FA was the most prominent PhaaS platform, accounting for 89% of the incidents seen in January.
“The integration of AI and large language models (LLMs) into these cybercrime services will further enhance the scale and automation of attacks, enabling cybercriminals to leverage sophisticated browser-based phishing techniques and automated social media reconnaissance for more effective phishing campaigns,” says Menlo.
